Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

how to create separate, least priveledged role for OCUM Service Account user ?

IMHOTEPSON

We have OCUM 7.1 with integrated (linked with cert) OCPM, by policy it is not allowed to use the default admin role for the service account which will gather the Filers.

So we need to create a seperate role with the required permissions and add the user to this role.

 

Does anyone know if there is a howto ?? (i found one for DFM 7-Mode but not for OCUM cDOT) or can advise howto do this ?

 

regards imho

 

https://en.wikipedia.org/wiki/Principle_of_least_privilege

1 ACCEPTED SOLUTION

joele

Upfront warning - this user setup below is not approved by NetApp support and they won't take any responsibility for failed polling, missing data, alarms not triggering/catching issues, etc.  I don't expect any issues with this configuration but wanted to be as clear on this as possible.

 

I've had success using a limited role with OCUM/OPM 7.1 using the commands below:

 

security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname DEFAULT -access readonly
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "cluster application-record" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "metrocluster modify" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "metrocluster show" -access all
vserver services web access create -vserver <cluster_vserver> -name spi -role ocum_readonly_role
security login create -vserver <cluster_vserver> -user ocum_readonly -application ontapi -authmethod password -role ocum_readonly_role
security login create -vserver <cluster_vserver> -user ocum_readonly -application http -authmethod password -role ocum_readonly_role

 

Here's the rationale for the commands above.  

 

- A limited role is setup with access to the 'cluster application-record' command tree. This is where ONTAP tracks what OCUM/OPM/WFA instances are managing the cluster.

- OCUM also demands access to the 'metrocluster' command tree and polling fails without this access.
- A SPI role is created to allow OCUM/OPM to pull performance files.
- A login is created with http/ontapi access. All connectivity should be through API calls for most metrics, or HTTP calls to the SPI interface to pull performance data.

View solution in original post

23 REPLIES 23

joele

@colsen

 

I haven't tried this configuration with OCUM 7.2 yet but will take a look in the near future.

 

@IMHOTEPSON

 

Glad to hear the first tests are looking good!

colsen

Hello,

 

Okay - so I get the honorary "follow the rules dummy" award.  Anyway, I looked at your role list and saw the "metrocluster modify/show" and said "oh, we don't run metrocluster" so I didn't add those.  My colleague said, "well maybe if it gets a deny on any call it says discover failed".  We added those two permissions and voila - it works.

 

We'll let it run against our COOP cluster and make sure things look good and then apply it to the other clusters.

 

Thanks so much for the list - wish I had just followed it correctly in the first place!

 

Chris

joele

@colsen

 

Happens to all of us at one point or another!  I'm glad that OCUM is no longer complaining about failed polling.  I haven't had a chance to test out 7.2 with this custom role yet - let me know if you see any issues.

IMHOTEPSON

we use a seperate role for compliance scripts ... (custom)

added the

-cmddirname "system node run" -access all

-cmddirname "set" -access all

 

for testing, this will be reduced to the dedicated commands, thanks for the keep in mind thoughts 😉

joele

@IMHOTEPSON

 

Is OCUM running those compliance scripts as well?  Adding the 'system node run' tree with 'all' access opens up the roles capabilities by quite a bit, just a quick thought.

IMHOTEPSON

sure you are right, the compliance tool will have a seperate user and will run fro another system, so it is not addressed to ocum itself.

joele

Upfront warning - this user setup below is not approved by NetApp support and they won't take any responsibility for failed polling, missing data, alarms not triggering/catching issues, etc.  I don't expect any issues with this configuration but wanted to be as clear on this as possible.

 

I've had success using a limited role with OCUM/OPM 7.1 using the commands below:

 

security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname DEFAULT -access readonly
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "cluster application-record" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "metrocluster modify" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "metrocluster show" -access all
vserver services web access create -vserver <cluster_vserver> -name spi -role ocum_readonly_role
security login create -vserver <cluster_vserver> -user ocum_readonly -application ontapi -authmethod password -role ocum_readonly_role
security login create -vserver <cluster_vserver> -user ocum_readonly -application http -authmethod password -role ocum_readonly_role

 

Here's the rationale for the commands above.  

 

- A limited role is setup with access to the 'cluster application-record' command tree. This is where ONTAP tracks what OCUM/OPM/WFA instances are managing the cluster.

- OCUM also demands access to the 'metrocluster' command tree and polling fails without this access.
- A SPI role is created to allow OCUM/OPM to pull performance files.
- A login is created with http/ontapi access. All connectivity should be through API calls for most metrics, or HTTP calls to the SPI interface to pull performance data.

View solution in original post

EdRubins

On Ontap 9.3, the cluster vserver already has a service called "spi" in the admin role (and type admin). Wouldn't this conflict with the commands you've listed?

 

 

(cluster)::> vserver services web access show
Vserver Type Service Name Role
-------------- -------- ---------------- ----------------
(cluster) admin spi admin

 

-Ed

joele

It's quite likely it would, yes.  I'm curious to see how a 9.1/9.2 cluster with that previous set of commands run is impacted after upgrading to 9.3.  I'll add this to the list of things to check on.

joele

To close this one out -

 

I spun up a new 9.1 simulator, upgraded it to 9.3, and was able to run the previous command set without any issues or collisions.  I'm adding it to an OCUM 7.3 instance now to see how things look.

bjoern_shd

Hi,

 

I followed your instructions and created on ontap 9.1P9 the ocum_readonly with your readonly role.

 

The OCUM 9.4 doesn't add the new cluster with following error message:

 

"Mon Jul 23 13:15:26 2018  scxxxxx  [kern_audit:info:1865] 8503e8000082515d :: scxxxxx:ontapi :: 10.xxx.xxx.xx:42836 :: scxxxxx:ocum_readonly :: Insufficient privileges: user 'ocum_readonly' does not have write access to this resource :: ONTAPI :: Error"

 

Is it possible to have detailed readonly role for ontapi requests?

thx bjoern

joele

Repeating an earlier warning from this thread - this user setup below is not approved by NetApp support!  It's worked well in my (and others) experience but you're using this at your own risk!  NetApp and/or support won't take any responsibility for failed polling, missing data, alarms not triggering/catching issues, etc. 

 

If you need this functionality with official support please contact your NetApp account team to have them submit an internal request.

 

 

Hi bjoern,

 

I spun up a simulator for this testing and found 4 additional APIs being called:

 

ems-event-filter-create
ems-event-notification-create
ems-event-notification-destination-create
security-certificate-install

 

These new API calls make sense given how the OCUM software has evolved around alerting, and I'm surprised the certificate command wasn't already required.  I modified the custom role a bit and it's successfully discovering in an OCUM 9.4RC1 instance of mine.  Can you try this updated role and let me know how it looks on your end?

 

 

security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname DEFAULT -access readonly
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "cluster application-record" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "metrocluster modify" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "metrocluster show" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "event filter create" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "event notification destination create" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "event notification create" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "security certificate install" -access all
vserver services web access create -vserver <cluster_vserver> -name spi -role ocum_readonly_role
security login create -vserver <cluster_vserver> -user ocum_readonly -application ontapi -authmethod password -role ocum_readonly_role
security login create -vserver <cluster_vserver> -user ocum_readonly -application http -authmethod password -role ocum_readonly_role

 

 

Please note I've only quickly tried this in a lab and have *not* done any extensive testing on whether or not this lets OCUM 9.4 fully monitor ONTAP 9.1.

 

 

connoisseur

Hi.

 

Thanks for your solution.

I tried it on my 9.3P7 and works fine.

 

One question though.

We moved from local admin accounts to domain passthrough accounts for our administrators.

But, as domain passthrough accounts doesn´t have SSH we can´t use the restore function in OCUM (therefor I´m looking at your solution)

 

But same here now when we have a RO role.

What function do I need to change to be able to do a restore in OCUM with this kind of security login role?

 

//Henrik

boon

sadly this won't work when you use EMS fordwarding, you will get a error 

Unable to add data source, which can be caused by reaching the max number of EMS notification destinations in the data source.

 I had to change the command directories for the commando event

event destination all
event filter all
event notification all
event route all

 

I'am sure you can break it more down. But for my needs it was enough. After this change, i could add the Cluster with the new User/Role.

 

Thanks 🙂

joele

Hi @bjoern_shd - have you had a chance to try this in your environment?  

joele

Hi bjoern,

 

I haven't tested this role with OCUM 9.4 yet unfortunately, but will take a look when I have some free time.

IMHOTEPSON

this solution looks fine until now, the first tests are successful, we will check the Metrocluster at next and then we will see if we still get some issues.

many thanks for now 😉

colsen

Good morning - thanks a bunch for posting that role/account listing.  I had some time this morning so I tried setting up an account that way and applying it to the cluster data sources section on our COOP/non-prod cluster.  Anyway, after I updated the credentials on this particular cluster I got a "cluster login failed" status inside OCUM 7.2 - then no polling would occur and the cluster was unreachable.  I gave it a bit just to see if the polling cycle would pick it back up, but no dice.

 

I went ahead and added a ssh privilege to the role and verified the acct/pswd work via an interactive shell (i.e. just making sure I didn't fat-finger anything) but OCUM must be trying some method/whatever that isn't supported in the role as you've specified.  Any ideas what might be missing and/or where I'd look to see what the specific problem was?

 

Thanks!

 

Chris

colsen

* CORRECTION/UPDATE * - I just grabbed what I think is the lates RBAC/privs file and it doesn't look like it'll work - no version # for OCUM appears in the tool.  I pinged dbkelly to see if I'm just missing something...

 

Hello,

 

The RBAC tool (discussed here):

 

https://community.netapp.com/t5/Virtualization-and-Cloud-Articles-and-Resources/How-to-use-the-RBAC-User-Creator-for-Data-ONTAP/ta-p/86601

 

Has a template/profile for OCUM.  We used that in our shop and it seemed to work out pretty well.  Haven't run into any errors/problems so far with the resulting account.

 

Hope that helps,


Chris

IMHOTEPSON

Hi,

 

installed the tool, but it failed on selecting the product OnCommand Unified Manager Select the version (no version selctable)

We are using ONTAP 9.0P2 with OCUM 7.1

If i check the ontapPrivs.xml, i only see the 7 Mode Version DFM

 

<product id="dfm" label="OnCommand Unified Manager" description="OnCommand Unified Manager (DFM)">
    <dfm id="dfm51" label="DFM 5.1">

and i did not the ONTAP 9

 

😞

 

 

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public